A new vulnerability known as Certifi-gate has been spotted in Android, affecting millions of devices. Here's what you need to do next to protect your Android phone from Certifi-gate. How to scan your Android phone for Certifi-gate. Also see: How to remove a virus from Android.
Check Point Software Technologies have spotted a vulnerability in Android known as Certifi-gate that can allow hackers to remotely take over a device, steal personal data and spy on your activities. Certifi-gate affects hundreds of millions of devices from top manufacturers. Here's how to scan your phone now to check whether it is vulnerable to Certifi-gate.
Following fast on the heels of Stagefright comes Certifi-gate, which affects apps preloaded by the manufacturer or mobile operator, allowing them to troubleshoot problems with your device from afar. Certifi-gate allows other third-party apps to also take advantage of these back doors to your device. Also see: How to protect your Android phone from the Stagefright text message virus.
"It potentially allows cybercriminals to take complete control of any of these Android devices, enabling them to steal information from contact lists, calendars, location, anything that you have on your device," Check Point VP of product management Gabi Reish, told CBS News.
"More than that, it can turn a victim's mobile device into a spy phone. That means bad guys can activate the microphone at any time they want. I can record anything I want to, in any meeting, any conference room. It's quite problematic." Also see: Best Android antivirus apps.
HTC is already rolling out a Certifi-gate fix for the HTC One M9 and HTC Desire line-up. It will be some time before fixes are rolled out by all phone makers, however. Also see: Best Android phones 2015.
How to protect your phone from Certifi-gate: Scan Android for Certifi-gate
Check Point Software Technologies advises that in the meantime the best way to protect your Android phone from Certifi-gate is to avoid installing apps outside the Google Play store. However, it admits that it's possible that even apps downloaded from Google's safehaven could be mailicious.
The company has issued a small Android app that allows you to scan your phone to find out whether it is vulnerable to Certifi-gate. The problem is, even when the app tells you that your phone is vulnerable it offers no fix for the vulnerability. But it remains useful in the sense that if you know you are at risk you will take extra caution in the apps you choose to download.
To download the Certifi-gate phone scanner launch the Google Play app on your phone and search for the Certifi-gate Scanner app from Check Point Software Technologies Ltd. It's a free app, and less than 1MB in size.
Tap the install button on the app page, accept its request to access your identity, then tap on Open once the app has installed.
You'll be prompted to contribute anonymously by sharing some information with Google Analytics and Check Point; this is enabled by default but you can remove the tick from the box if you prefer, then tap Proceed.
On the app's home page you'll see a large red circle with the legend 'Tap to Scan'. Do exactly that.
The scanner's progress will be shown onscreen, and when it reaches 100 percent you'll be informed whether or not your device is vulnerable.
Our Samsung Galaxy S6 on the UK Vodafone network was reported as vulnerable, and Check Point offered the following advice: "Your device model is affected by Certifi-gate vulnerabilities. An attacker can exploit the Certifi-gate vulnerabilities in order to take full control of your device, this includes full access to data such as contacts, calendar events, emails and text messages.
Below this is a button that you can tap for more information, which brings up a form that you must fill in if you want to receive the full Certifi-gate report. We did so, but no report was forthcoming, so until a fix is offered by Samsung/Vodafone we will have to be extra careful with which apps we choose to install.
Update 12 August: We finally received our email from Check Point (having written this article on 7 August), but for those of you still waiting for yours know that it wasn't especially worth the wait. It merely offers a link to download the Certifi-gate research report, read its Certifi-gate blog post, and find out more about how to protect your devices.
Where next? Visit Android Advisor.
Follow Marie Brewis on Twitter.